WP 8021x Authentication Ldap

WHITE PAPER: 802.
1X PORT AUTHENTICATION
WITH LDAP
IRONSHIELD WHITE PAPER
Written By: Philip Kwan

March 2003
March 2003
Version 1.0.0
2003 Foundry Networks, Inc.

All Rights Reserved.
WHITE PAPER: 802.1X PORT AUTHENTICATION

WITH LDAP
Summary
Lightweight Directory Access Protocol (LDAP) is one of the most widely used authentication directories in modern
networks. This white paper describes Foundrys 802.1X Port Authentication feature and how it works with
OpenLDAP and Interlink Networks Secure.XS server.
Contents
NOMENCLATURE ..................................................................................................................................................................3
RELATED PUBLICATIONS...................................................................................................................................................3
TRADEMARKS ........................................................................................................................................................................3
802.1X PORT AUTHENTICATION BASICS........................................................................................................................4
LDAP ..........................................................................................................................................................................................5
SAMPLE OPENLDAP IMPLEMENTATION.......................................................................................................................5

INSTALLING OPENLDAP..........................................................................................................................................................6
RADIUS AUTHENTICATION PROXY.........................................................................................................................................7
Installing Secure.XS.............................................................................................................................................................7
Secure.XS Windows Version 6.0.3 .....................................................................................................................................12
CONFIGURING 802.1X PORT AUTHENTICATION .......................................................................................................13
OTHER 802.1X COMMANDS ...................................................................................................................................................14
MULTIPLE HOST SITUATIONS .................................................................................................................................................15
CONFIGURING WINDOWS CLIENTS ..............................................................................................................................16
TESTING THE CLIENT CONNECTION .......................................................................................................................................17
ADDITIONAL TIPS ...................................................................................................................................................................18
OTHER 802.1X CLIENTS TESTED............................................................................................................................................18
CONFIGURING FOUNDRYS DYNAMIC VLAN FEATURE.........................................................................................19
CONFIGURING LDAP USER ACCOUNTS .................................................................................................................................20
CHECKING THE RADIUS DICTIONARY ..................................................................................................................................21
CREATING PORT-BASED VLANS.....................................................................................................................................23
TESTING THE DYNAMIC VLAN FEATURE ...................................................................................................................23
Disclaimer
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting Interlink
Networks Secure.XS product. Refer to Interlink Networks for complete installation guidelines and product
information regarding Secure.XS components mentioned in this white paper.
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting
Meetinghouses AEGIS Windows and MAC OS clients. Refer to Meetinghouse Data Communications for complete
installation guidelines and product information regarding AEGIS 802.1X clients mentioned in this white paper.
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting OpenLDAP.
Refer to the OpenLDAP community at www.OpenLDAP.org for complete installation guidelines and product
information.
March 2003
Version 1.0.0


WITH LDAP
Nomenclature
This guide uses the following typographical conventions to show information:
Italic highlights the title of another publication and occasionally emphasizes a word or phrase.
Bold highlights a CLI command.
Bold Italic highlights a term that is being defined.
Underline highlights a link on the Web management interface.
Capitals highlights field names and buttons that appear in the Web management interface.
NOTE: A note emphasizes an important fact or calls your attention to a dependency.
Related Publications
The following Foundry Networks documents supplement the information in this guide.
Foundry Security Guide - provides procedures for securing management access to Foundry devices and for
protecting against Denial of Service (DoS) attacks.
Foundry Enterprise Configuration and Management Guide - provides configuration information for enterprise
routing protocols including IP, RIP, IP multicast, OSPF, BGP4, VRRP and VRRPE.
Foundry Switch and Router Command Line Interface Reference - provides a list and syntax information for all the
Layer 2 Switch and Layer 3 Switch CLI commands.
Trademarks
Microsoft Windows 2000 and Microsoft Windows XP, are trademarks or registered trademarks of Microsoft
Corporation.
Secure.XS is a trademark or registered trademark of Interlink Networks.
AEGIS Client is a trademark or registered trademark of Meetinghouse Data Communications.
Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries.
All other trademarks are the properties of their respective owners.
March 2003
Version 1.0.0


WITH LDAP
802.1X Port Authentication Basics
Foundrys implementation of 802.1X Port Authentication is based on a series of standards:
RFC 2284 PPP Extensible Authentication Protocol (EAP)

RFC 2865 Remote Authentication Dial In User Service (RADIUS)
RFC 2869 RADIUS Extensions
There are three components that are used to create an authentication mechanism based on 802.1X standards:
Client/Supplicant, Authenticator, Authentication Server.
Client/Supplicant
The client, or supplicant, is the device that needs authenticating to the network.
It supplies the username and password information to the Authenticator. The
client uses the Extensible Authentication Protocol (EAP) to talk to the
Authenticator.
Authenticator
The Authenticator is the Foundry device performing the 802.1X Port

Authentication controlling access to the network. The Authenticator receives the
username and password information from the client, passes it onto the
Authentication Server, and performs the necessary block or permit action based
on the results from the Authentication Server. The Authenticator uses RADIUS
to speak to the Authentication Server.
Authentication Server
The Authentication Server validates the username and password information

from the Client and specifies whether or not access is granted. The
Authentication Server may also specify optional parameters to control things
such as VLAN access. Foundrys 802.1X implementation currently supports
standard RADIUS Authentication Servers.
802.1X Clients use the Extensible
Authentication Protocol (EAP) and EAP Over
LAN (EAPOL) to securely encapsulate the
communications between the Client and
Authenticator. The Authenticator uses
RADIUS to communicate with the
Authentication Server.
Before the Client is authenticated, the
network port is set to the uncontrolled
(unauthorized) state and only allows EAPOL
authentication traffic between the Client and
the Authentication Server. All other normal
data traffic is blocked. When the client
authentication is complete and access is
granted, the controlled port is set in the
authorized state to grant full network
access.
Figure 1. Port Authentication Process

March 2003
Version 1.0.0


WITH LDAP
If a non-802.1X client is connected to an 802.1X protected port, the Client will not recognize the EAPOL polling
traffic from the Authenticator and authentication will fail. The client will not be granted network access. If an
802.1X EAP-MD5 enabled client is connected to a non-802.1X port, it will attempt to send an EAP start frame to
the Foundry device. When the device doesnt respond to the EAP packet, the Client considers the port to be
authorized and starts sending normal traffic.
By default, Foundry devices place all ports in the authorized state, allowing full network access. When 802.1 Port
Authentication security is implemented, all 802.1X enabled ports are switched to the unauthorized state to
prevent full network access. Foundry devices support the EAP-MD5 standard between the client and itself.
NOTE: For more information on Foundrys implementation of 802.1X, please refer to the following resources:
802.1X White Paper: http://www.foundrynet.com/solutions/appNotes/PDFs/802.1XWhite_Paper.pdf
LDAP
Lightweight Directory Access Protocol (LDAP) is a directory service that is based on the X.500 Directory Services
model. LDAP is an information repository as well as a protocol for querying and manipulating the data in an
LDAP directory. The LDAP Directory is a specialized data repository that is tuned to provide fast responses to
queries: reading, browsing, and searching. It is made up of attribute-based and descriptive information that
supports complex searches and filtering activities. Directories are also designed to support large volumes of
complex updates and complex replication schemes to support local and global architectures.
OpenLDAP is an open-source LDAP application that is developed by a community of users. OpenLDAP is
considered by many IT professionals as a robust, commercial-grade LDAP solution and is used by enterprise
directory services. It uses schemas to allow for flexible configuration of directory information that can house
many different types of corporate and personal information allowing businesses to centralize and search
directory trees.
NOTE: For more information on OpenLDAP, please refer to the following site: www.openldap.org
Sample OpenLDAP Implementation

Due the many different LDAP implementations and possible schema configurations, this White Paper will use a
base configuration of OpenLDAP to illustrate Foundrys 802.1X Port Authentication feature working with an LDAP
directory. Production LDAP servers may be more complex with regards to the directory information and the
schemas supported. The procedure will be similar in most LDAP installations but the exact configuration steps
will vary.
Due to the lack of native RADIUS support in OpenLDAP and other LDAP directories, many RADIUS vendors have
produced LDAP hooks to allow their RADIUS servers to authenticate against LDAP directories. For this sample
LDAP installation, Interlink Networks Secure.XS server was used as the intermediary between the Foundry device
and the OpenLDAP server.
March 2003
Version 1.0.0


WITH LDAP
Figure 2. Sample LDAP Installation Topology
Installing OpenLDAP
For installations that will be using Foundrys 802.1X Port Authentication with an LDAP directory for authentication,
an existing production LDAP directory with the necessary user accounts will most likely be in place. This section
describes the required steps for creating an OpenLDAP server for our sample implementation and can be skipped
if a production LDAP directory exists.
The sample LDAP directory will allow anonymous searches without additional security measures such as user
and password credentials for accessing the LDAP directory. To simplify LDAP lookups, passwords were stored in
clear format in the LDAP directory. Production systems should encrypt LDAP passwords.
Step 1: Prepare a host with the necessary UNIX or Windows operating system the OS selected must be
supported by OpenLDAP. For the sample installation, Red Hat Linux version 8.0 was used with the latest security
patches.
Step 2: Download, compile, and install OpenLDAP. The source files can be found at www.openldap.org and the
installation guide can be found at the following web site: www.openldap.org/doc/admin/quickstart.html
Step 3: Load the necessary object classes from the schema to populate the LDAP directory with the necessary
objects. For the sample installation, the OpenLDAP person and inetOrgPerson object classes were loaded.
These two object classes supported the basic user account information that will be used to authenticate the client
users.
Step 4: Load any additional management tools to help manage the LDAP directory. GQ version 0.4.0 was
loaded on the sample OpenLDAP server to support a graphical user interface. GQs graphical interface makes
browsing and modifying the LDAP directory much easier.
March 2003
Version 1.0.0


WITH LDAP
Step 5: Populate the LDAP directory with the necessary user information. The directory can be populated
through a script file or through the GQ tool. For the sample database, the following parameters were used to
populate the LDAP directory with user information:
Object Class Parameter
dn
objectClass
sn
cn
userPassword
telephoneNumber
displayName
givenName
mail
uid
Example Values
cn=john smith,dc=foundry,dc=com
person, inetOrgPerson
smith
john smith
testpassword
408 555-1212
John Smith
john
jsmith@foundry.com
jsmith
Step 6: Test your LDAP server with the GQ client to ensure that the LDAP directory can be browsed, searched,
and modified.
For 802.1X Port Authentication, the two most critical objects are the User ID (uid) and the User Password
(userPassword) parameters. The authentication proxy will compare the username and password entered by
the client against the uid and userPassword parameters in the LDAP directory to authenticate the client.
NOTE: For more information on installing OpenLDAP, please refer to the following web sites:
http://www.openldap.org
http://www.openldap.org/doc/admin/quickstart.html
http://www.openldap.org/doc/
RADIUS Authentication Proxy

Due LDAPs lack of native RADIUS support, an authentication proxy is required with LDAP installations to support
the Foundry devices RADIUS authentication call. Interlink Networks Secure.XS server was used in the sample
installation to perform the RADIUS-to-LDAP authentication. There are many other RADIUS products that will
perform similar functions using LDAP plug-ins. For more information on using your RADIUS server for LDAP
authentication, contact your RADIUS vendor.
Installing Secure.XS
Interlink Networks Secure.XS version 6.0.3 for Windows was installed on a Windows 2000 Server (with SP3) for
the sample installation. The following steps illustrate a basic installation of Secure.XS and the configuration steps
required to allow Secure.XS to proxy RADIUS authentication requests from the Foundry device to the LDAP
directory.
Depending on the products and versions used for the RADIUS authentication proxy, these steps may or may not
apply. Please check with Interlink Networks for the latest installation guidelines if Secure.XS will be used for your
implementation.
March 2003
Version 1.0.0


WITH LDAP
Step 1: Download and install the Secure.XS evaluation software. Follow the installation instructions in the selfextracting installation file. The source files can be found at Interlink Networks web site:
www.interlinknetworks.com
Step 2: If necessary, obtain the necessary installation license from Interlink Networks and install the license to
activate the software.
Step 3: Start the Secure.XS Server Manager utility and log into the management interface using the default
administrator account (adminaaa) and password (adminaaa). The Server Manager is found under the
Start/Programs/Internlink Networks menu.
The Secure.XS Server Manager screen is displayed
as shown in Figure 3.
Figure 3. Secure.XS Server Manager Screen

Step 4: Since this is a new installation, make sure the local configuration files are loaded and start the
Secure.XS server.
Select Load Configuration from the menu,

check the localhost option, and click on the
Load button. The server will begin to load
the local configuration files and a Transfer
Complete message will be displayed when
the files are completely loaded.
Figure 4. Loading Local Configuration

March 2003
Version 1.0.0


WITH LDAP
Select Administration from the menu and

choose the Start button to enable the
Secure.XS server. Once the server is
successfully started, the status window will
have the localhost checked and the green
Go icon displayed.
Figure 5. Starting Secure.XS Server

Step 5: Create a new RADIUS Access Client for each Foundry device that will be authenticating clients against
the LDAP directory.
Select Access Devices from the menu and

choose the New Access Device option.
Enter the information for the Foundry Device:
o Name: IP Address or DNS Name of
the Foundry device
o Shared Secret: RADIUS secret set
on the Foundry device (must match)
o Vendor: Select Generic
o Options: Leave options unchecked
Repeat this step for each Foundry device that will be

authenticating against the LDAP directory.
Figure 6. Creating An Access Device

March 2003
Version 1.0.0


WITH LDAP
Step 6: Create the Realm that will be used to support the authentication process. Realms are logical groupings
of users and can parallel the corporate DNS structure. An example of a Realm can be the suffix for a users email
account. For example, the email account jsmith@foundry.com is configured with a realm of foundry.com.
Select the Local Realm menu option and

choose New Local Realm.
Enter the New Local Realm information:
o Name: Realm name that will be used
after the User ID. e.g. foundry.com
o Authentication Type: Select ProLDAP
o DNS of File Name: For ProLDAP
authentication, this field is used
for description purposes. Enter a
descriptive string for this field.
o Protocol: Select All
o Session Tracking: Can be either
Yes or No to enable or disable
accounting records.
o Filter Type: Select CIS (not case
sensitive)
Figure 7. Creating New Local Realm
Select the New LDAP Directory drop down

box and select the New LDAP Directory
option. The LDAP Directory screen will be
displayed allowing the hooks to be defined
into the LDAP directory.
On the LDAP Directory screen, enter the following configuration information to setup the LDAP link:
o Directory Name: A unique identifier used to describe the LDAP Directory link. Eg. Foundry
OpenLDAP
o Host: The IP Address of the LDAP server or its DNS Name
o Port: The LDAP port number that is supported by the LDAP server (default LDAP port is 389)
o Administrator & Password: The distinguished name (dn) of the directory administrator and its
password. These two fields are only required if the LDAP directory doesnt support anonymous
searches. For the sample installation, the OpenLDAP directory was setup to allow anonymous
searches.
o Search Base: The dc in the LDAP database to begin searching. Enter the same dc information that
was used to create the LDAP directory. For example dc=foundry,dc=com.
o Filter: Enter the LDAP object parameter that will be used to authenticate against the LDAP directory.
The sample installation will match on the LDAP directorys User ID (uid) field.
o Authentication Type: Set to Search
Select the Save button to create the LDAP directory link.
Select the Create Button to create the new Local Realm.
March 2003
Version 1.0.0

10

WITH LDAP
Step 7: Create a NULL Realm to allow the Secure.XS server to provide default support for the EAP-MD5
authentication requests from the Foundry device.
Select the Local Realm menu option and choose

New Local Realm.
Enter the New Local Realm information:
o Name: Enter NULL
o Authentication Type: Select EAP
o DNS of File Name: For EAP authentication,
this field is used for description purposes.
Enter a descriptive string for this field.
o Protocol: Select All
o Session Tracking: Can be either Yes or No
to enable or disable accounting records.
o Extended Parameters: Select MD5Challenge
Click the Create button to create the Null Realm.
Figure 8. Null Realm Creation
Step 8: Save the configuration to the localhost.
Select the Save Configuration option from the

menu.
Check the localhost option.
Click the Save button.
The Secure.XS server will transfer the changes to the

local configuration files. Once the process is
complete, the server will display the Transfer
Complete message.
Figure 9. Saving The Configuration To The Localhost

Step 9: Stop and Start the Secure.XS server to enable the new RADIUS clients and Realms. The Stop and
Start controls are found in the Administration menu option.
March 2003
Version 1.0.0

11

WITH LDAP
Secure.XS Windows Version 6.0.3
The following CLI installation steps are required to complete the configuration process for LDAP support.
Interlink Networks Secure.XS will not require these additional CLI configuration steps after version 6.0.3. For
complete installation instructions, please contact Interlink Networks customer support.
Step 1: Stop the Secure.XS server by selecting Stop from the Administration menu.
Step 2: Using a text editor such as Wordpad, open the authfile in the \program files\interlinknetworks\
aaaserver\raddb installation directory. This directory tree may be different if the application was installed in a
directory other than the default installation directory.
After the Filter-Type entry, add the

following line:
Retrieve-only true
Highlight the entire NULL section and Copy

it into the clipboard. You will need these four
lines in the next step.
Save the file in text format without the .txt
extension.
Figure 10. Modifying the AUTHFILE

Step 3: Using a text editor, open the EAP.authfile
in the \program files\interlinknetworks\
aaaserver\raddb installation directory. This
directory tree may be different if the application was
installed in a directory other than the default
installation directory.
Replace the existing NULL section with the Null

section copied from the previous step (authfile).
Change the NULL label to the name that was used
for the new LDAP Realm Name in step 6 on page
10. For example foundry.com.
Save the file in text format without the .txt
extension.
Figure 11. Modifying the EAP.authfile
March 2003
Version 1.0.0

12

WITH LDAP
Step 4: Rename the existing radius.fsm file in the \program files\interlinknetworks\
aaaserver\raddb installation directory to radius.fsm-original. Make a copy the 2stage_wireless.fsm file
and rename it to radius.fsm.
Step 5: Start the Secure.XS server by selecting the Start option from the Administration menu.
NOTE: After the changes are made to the authfile and EAP.authfile, any further changes made to the Secure.XS
server and saved to the local configuration files may overwrite the changes manually made in this section. If
changes are made using the Server Manager GUI after this step, please check the contents of the authfile and
EAP.authfile to make sure the correct configuration is set.
NOTE: The LDAP Server must be configured to return the password when the User ID (uid) parameter is
searched. It should also be programmed to return any VLAN information that is stored in the LDAP record. The
base installation of OpenLDAP configured in this sample installation will return the necessary information when
queried.
Configuring 802.1X Port Authentication

Foundry devices will support up to eight RADIUS servers and will authenticate against them in the order they
were added to the devices configuration. To configure a Foundry device to support 802.1X Port Authentication,
the following procedures are required:
Configure the Foundry device (Authenticator) to interact with one or more Authentication Server(s)
(RADIUS, RADIUS proxy servers, etc.).
Configure the Foundry device to act as the Authenticator.
Configure the Foundry devices interaction with the Client device (optional step).
Step 1: Configure the Foundry device to use RADIUS for authenticating 802.1X security and define one or more
RADIUS or RADIUS proxy servers.
Syntax: [no] aaa authentication dot1x default <radius | none>
BigIron(config)# aaa authentication dot1x default radius
Configure the device to use one or multiple RADIUS or RADIUS proxy servers. Set the authentication and
accounting port numbers to match the RADIUS servers settings, and specify the secret key to authenticate to
the RADIUS server. The secret key string must be identical to the secret key string used on the RADIUS proxy
server (Secure.XS server).
March 2003
Version 1.0.0

13

WITH LDAP
Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number> acct-port <number> default key
<string> dot1x]
BigIron(config)# radius-server host 192.168.100.100 auth-port 1812 acct-port 1813
default key mysecretpassword dot1x
BigIron(config)# radius-server host 192.168.101.150 auth-port 1812 acct-port 1813
default key mysecretpassword dot1x
Step 2: Enable the 802.1X authentication feature on the Foundry device, and enable the necessary ports for
802.1X Port Authentication. This enables the Foundry device to act as an 802.1X Authenticator.
Syntax: [no] dot1x-enable
BigIron(config)# dot1x-enable
To configure 802.1X for individual ports, you can use the enable command with the port number. A range can
also be specified to help make the configuration work faster. Be careful not to add any uplink ports or ports for
critical servers that do not require 802.1X Port Authentication access may be lost to these hosts.
BigIron(config-dot1x)#
enable Ethernet
enable Ethernet
enable Ethernet
enable Ethernet
write memory
2/1 to 2/24
3/1 to 3/24
4/1 to 4/10
4/17 to 4/24
Step 3: For all interfaces using 802.1X authentication, enable the control mode to force-authorized, forceunauthorized, or auto. Auto leaves the controlled port in unauthorized mode until the RADIUS server validates
the authentication.
BigIron(config)# interface e 3/1
BigIron(config-if-3/1)# dot1x port-control auto
The switch is now enabled for 802.1X Port Authentication. Make sure the RADIUS server is properly configured
to authenticate each user.
Other 802.1X Commands

Some other important 802.1X commands and options include:
Syntax: show dot1x
Syntax: show dot1x config <portnum>
Syntax: show dot1x statistics <portnum>
Syntax: clear dot1x statistics all | <portnum>
March 2003
Version 1.0.0
Displays 802.1X configuration information

Displays detailed 802.1X configuration for a port
Displays 802.1X statistics for a port
Clears 802.1X statistics for all ports or a specific port

14

WITH LDAP
Multiple Host Situations
Foundrys 802.1X Port Authentication defaults to one device per port. For installations that are using more than
one host per 802.1X-enabled port, the following commands should be reviewed.
Syntax: [no] dot1x multiple-hosts
Syntax: [no] timeout security-hold-time <seconds>
Allows multiple hosts on an 802.1X enabled port

Defines the amount of time the port is locked when
multiple hosts are detected on a port configured for only
one host. The default is 60 seconds.
If the multiple-hosts option is used, the port will allow multiple devices to access the network once the first
802.1X client authenticates successfully. When the authenticated client logs off the network and terminates the
authenticated session, the port will deny access to the remaining hosts. Another client must authenticate
successfully to enable the port for multiple-host access again.
NOTE: For more information on MAC Address Locking and 802.1X authentication, refer to the Foundry Switch
and Router Command Line Interface Reference and the Foundry Security Guide.
March 2003
Version 1.0.0

15

WITH LDAP
Configuring Windows Clients
At the time of this writing (March 2003), Foundry Networks has tested its 802.1X Port Authentication with the
following Microsoft Windows clients:
Microsoft Windows 2000 Professional English version

(must have SP3 and the Q313664_W2K_SP4_X86_EN.exe patch)
Microsoft Windows XP English version (with SP1)
After the installation of the required service packs and/or patches, Windows 2000 clients will be configured with
the necessary files to support 802.1X EAP-MD5 authentication. Windows XP clients include 802.1X natively but
must have SP1 to work with DHCP properly.
Perform the following steps to configure the Windows client for 802.1X EAP-MD5 support:
Step 1: Open the Properties window for your Ethernet network connection. With 802.1X support installed,
you should see the Authentication tab.
Check the Enable network access control using

IEEE 802.1X box.
Select the proper EAP type by selecting MD5Challenge from the EAP drop-down box.
The Authenticate as computer when computer
information is available selection is optional.
Click the OK button when all the selections have been
made to save the changes.
Figure 12. Setting Client EAP Type
In order to simplify the authentication process,

enable the Show icon in taskbar when
connected option from the General tab. For
Windows XP clients, this will allow the balloon help
feature to display prompts for entering
authentication information and provide error
messages for failed authentication attempts.
Reboot the client if necessary.
March 2003
Version 1.0.0

Figure 13. Enabling Taskbar Icon
16

WITH LDAP
Testing The Client Connection
To test the Windows client, connect the host to the Foundry devices 802.1X-enabled port. After a short period,
the port and the clients NIC will synchronize and the 802.1X EAP-MD5 authentication process will begin. As the
Client completes its synchronization process, the Network Icon in the task bar will show the Local Area
Connection speed. The EAP-MD5 port authentication process will begin and the user will be prompted to enter
their Local Area Connection credentials (username and password).
Enter the User Name and Password information

required to authenticate to the LDAP directory. The full
user ID and the Realm suffix that was defined on the
Secure.XS server must be entered. Example:
jsmith@foundry.com
The Logon Domain information is not required.
Figure 14. Local Area Connection Credential Request

If the LDAP Directory server validated the authentication credentials entered, the client is allowed onto the
network. If the LDAP Directory server did not validate the authentication credentials, a message similar to the
following will be displayed:
The EAP-MD5 authentication will time out and the user will be
prompted for their authentication credentials again.
Figure 15. Failed 802.1X Authentication Message
March 2003
Version 1.0.0

17

WITH LDAP
Additional Tips
If the attempt to obtain a DHCP address fails due to a timing issue (the authentication process was not successful
before the DHCP request timed out) the client may not have a proper DHCP address. Once authentication is
successful and a network connection is granted by the Foundry device, Windows 2000 Professional (SP3 with all
802.1X patches) and Windows XP (SP1) clients should renegotiate a DHCP address with the DHCP server after a
short period of time.
If this is not the case, you can manually release and renew the DHCP address with the following command line
commands:
C:\> ipconfig /release
C:\> ipconfig /renew
These commands can also be placed in a batch file and placed onto the desktop to speed the process of renewing
a DHCP address. An example of the batch file commands are:
ipconfig /release
ipconfig /renew
pause
exit
If you need to manually control the Local Area Connection authentication prompt, temporarily disconnect the
network cable from the client for 10 seconds and then reattach it. This will trigger a new EAP-MD5
authentication process and allow the user to enter the authentication credentials again.
Other 802.1X Clients Tested

At the time of this writing, Foundry Networks has also tested the following 802.1X EAP-MD5 clients:
AEGIS Windows Client version 2.0.0 from Meetinghouse Data Communications. The AEGIS Windows
Client offers a single sign-on solution. For more information on this client, visit: www.mtghouse.com
AEGIS MAC OS Client version 1.2.1 from Meetinghouse Data Communications. For more information on
this client, visit: www.mtghouse.com
March 2003
Version 1.0.0

18

WITH LDAP
Configuring Foundrys Dynamic VLAN Feature
With software release 07.6.03, a new feature called Dynamic VLAN Assignment is supported with Foundrys
802.1X Port Authentication. Dynamic VLAN Assignment allows network administrators to assign a specific VLAN
to an individuals Windows User Account. When the individual successfully authenticates to the network using
802.1X Port Authentication, they are automatically placed into their respective VLAN.
NOTE: This feature is supported on port-based VLANs only. This feature cannot be used to place an 802.1Xenabled port into a Layer 3 protocol VLAN. For more information on Foundrys 802.1X Dynamic VLAN Assignment
feature, refer to the 07.6.03 Foundry Switch and Router Command Line Interface Reference and Release Notes.
Foundry uses the following standard RADIUS attributes returned from the LDAP directory to place the port into
the proper VLAN:
Attribute Name
Tunnel-Type
Tunnel-Medium-Type
Tunnel-Private-Group-ID
Type
064
065
081
Value
13 (decimal) VLAN
6 (decimal) 802
<vlan-name> (string) either the name or the number
of a VLAN configured on the Foundry device
The following occurs under Dynamic VLAN Assignment:

1. When the user enters their 802.1X credentials, the Foundry device sends the information to the LDAP proxy
server using the RADIUS protocol.
2. The RADIUS proxy server sends the authentication request to the LDAP directory and uses the user name to
match on the uid stored on the directory server. If the authentication is successful, the required VLAN
information is passed from the LDAP directory to the RADIUS proxy server. Which in turn, sends it to the
Foundry device.
3. The Foundry device reads the three RADIUS attributes returned to validate the Tunnel-Type and the MediumTunnel-Type. If these attributes were set correctly, the Tunnel-Private-Group-ID attribute is compared to the
VLANs defined on the Foundry device.
4. If a matching VLAN is found, the Foundry device assigns the port to the VLAN using the VLAN ID specified in
the Tunnel-Private-Group-ID. The user dynamically becomes a member of the Port-Based VLAN.
Conditions that may trigger an unsuccessful authentication and/or Dynamic VLAN assignment include:
If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message do not have
the values specified above, the Foundry device will ignore the three Attribute-Value pairs. If the
authentication credentials supplied were valid, the Foundry device authorizes the port, but the port is not
dynamically placed in a VLAN. Otherwise, the client is not authorized.
If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message have the
values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client
will not be authorized.
When the Foundry device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks its
VLANs for a match using both the name and the numeric ID. If there is a match, the port is placed in the
VLAN whose ID corresponds to the VLAN Name or ID. If there is no match, the client is not authorized.
March 2003
Version 1.0.0

19

WITH LDAP
Configuring LDAP User Accounts
In order to add the necessary RADIUS Tunnel Attributes to the LDAP Schema, the RADIUS servers RADIUS
schema needs to be added to the LDAP directory. For the sample installation using Interlink Networks
Secure.XS server, the following steps were used to add the necessary RADIUS schema to the OpenLDAP
directory.
NOTE: If 802.1X Dynamic VLAN Assignment is turned on, any user who does not have the RADIUS Tunnel
Attributes set will be placed in the Default VLAN.
Step 1: Copy the Interlink Networks RADIUS schema file (iaaa-radius.schema) to the directory where the
OpenLDAP schema files are stored. By default, OpenLDAP schema files should be located in the following
directory:
/etc/openldap/schema
Step 2: Modify the slapd.conf file to include the new RADIUS schema file. The slapd.conf file is located in the
/etc/openldap/ directory. The modified file should include the following new line, include
/etc/openldap/schema/iaaa-radius.schema
EXAMPLE:
include
include
include
include
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/iaaa-radius.schema
Step 3: Stop and start the OpenLDAP server if necessary.

Step 4: Using the GQ viewer, scan the Schema tab. If the RADIUS schema loaded correctly, you should see
many new aaa object classes. The RADIUS object class required to support Foundrys 802.1X Dynamic VLAN
Assignment is aaaPerson and the attribute is aaaReply.
Step 5: For each user requiring Dynamic VLAN support, add the aaaPerson to their LDAP records supported
ObjectClass list. This will enable the aaaReply attribute for returning the three RADIUS Tunnel attributes to the
Foundry device: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID.
Step 6: Modify the aaaReply attribute and create three RADIUS Tunnel attributes for each user. Configure the
Tunnel attributes as follows:
aaaReply attribute #1: Tunnel-Type=VLAN
aaaReply attribute #2: Tunnel-Medium-Type=IEEE-802
aaaReply attribute #3: Tunnel-Private-Group-Id =VLAN ID number or name
March 2003
Version 1.0.0

20

WITH LDAP
Step 7: For each user requiring Dynamic VLAN support, repeat steps 5 and 6.
Depending on the RADIUS server being used, the LDAP directory tunnel attributes may have to be entered using
tagged fields. Check with your RADIUS vendor to see if tagged fields are a requirement for the correct handling
of the tunnel attribute values. For the sample installation, Interlink Networks Secure.XS dictionary required the
tunnel attributes to be tagged. The :1: tag was used to precede each tunnel attribute value.
EXAMPLE:
aaaReply attribute #1: Tunnel-Type=:1:VLAN
aaaReply attribute #2: Tunnel-Medium-Type=:1:IEEE-802
aaaReply attribute #3: Tunnel-Private-Group-Id =:1:10
Checking The RADIUS Dictionary
Every RADIUS server will have a dictionary that it uses to support the attributes and values. Depending on the
RADIUS vendor, the dictionary layout will vary. Using Interlink Networks Secure.XS server, the dictionary file is
located in the \program files\interlinknetworks\aaaserver\raddb directory. This directory tree may be
different if the application was installed in a directory other than the default installation directory.
To confirm that the RADIUS Tunnel Attributes are properly defined in the RADIUS dictionary file, perform the
following steps:
Step 1: Using a text editor such as Wordpad, navigate to the location of the RADIUS dictionary file and open the
dictionary file.
Step 2: Perform a search and locate the words Tunnel-Type, Tunnel-Medium-Type, and Tunnel-PrivateGroup-Id in the dictionary file. Verify that the three RADIUS Tunnel Attributes are defined in the ATTRIBUTE
section of the dictionary as displayed below. Notice the tag-int and tag-str requirements that require our
sample installation to precede each tunnel attribute value with the :1: tag.
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
#
RFC
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
March 2003
Version 1.0.0
Login-LAT-Port
63
string
(1, 0,
Tunnel-Type
64
tag-int
(*, 0,
Tunnel-Medium-Type
65
tag-int
(*, 0,
Tunnel-Client-Endpoint 66
tag-str
(*, 0,
:
:
:
:
:
:
Configuration-Token
78
string
(0, 0,
EAP-Message
79
string
(*, *,
2869 RADIUS Extensions -- Signature is deprecated
Message-Authenticator
80
string
(1, 1,
Signature
80
string
(1, 1,
Tunnel-Private-Group-Id 81
tag-str
(*, 0,
Tunnel-Assignment-Id
82
tag-str
(*, 0,
Tunnel-Preference 83
tag-int
(*, 0, 0)

0)
0)
0)
0)
0)
*)
1, NOLOG)
1)
0)
0)
21

WITH LDAP
Step 3: Continue searching for the words Tunnel-Type and Tunnel-Medium-Type until the VALUE section of
the dictionary is displayed. Verify that the Tunnel-Type and Tunnel-Medium-Type attribute values are
defined in the VALUE section. If they are missing, add them into the dictionary file using the string and decimal
values listed below:
Attribute
Tunnel-Type
Tunnel-Medium-Type
String Value
VLAN
IEEE-802
Decimal Value
13
6
The String Value specified in the dictionary file must match the object class attributes for the aaaReply object
used for each users LDAP record.
EXAMPLE:
Tunnel Type Values
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
#
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
PPTP
L2F
L2TP
ATMP
VTP
AH
IP-IP-Encap
MIN-IP-IP
ESP
GRE
DVS
IP-IP
VLAN
1
2
3
4
5
6
7
8
9
10
11
12
13
Tunnel Medium Type Values
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
IPv4
IPv6
NSAP
HDLC
BBN-1822
IEEE-802
E-163
E-164
F-69
X-121
IPX
Appletalk
DecnetIV
Banyan-Vines
E-164-NSAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Step 4: Save the dictionary file in text format without the .txt extension.
March 2003
Version 1.0.0

22

WITH LDAP
Creating Port-Based VLANs
Port-Based VLANs must be created on each Foundry device participating in the 802.1X Dynamic VLAN Assignment
topology. 802.1X Dynamic VLAN Assignment is only supported on port-based VLANs. This feature cannot be
used to place an 802.1X-enabled port into a Layer 3 protocol VLAN.
Step 1: Create the necessary Port-Based VLANs on each Foundry device. The VLAN IDs or names must match
the Tunnel-Pvt-Group-ID used in the Remote Access Policies created in the previous step.
To create the port-based VLAN: Syntax: vlan <vlan-id> by port
To add ports: Syntax: untagged ethernet | pos <portnum> [to <portnum> | ethernet <portnum>]
To turn on Spanning Tree Protocol: Syntax: [no] spanning-tree

EXAMPLE
This example creates a port-based VLAN with the VLAN ID of 10 and assigns an untagged uplink port E7/24 to
the VLAN. Users matching the VLAN Group ID of 10 will be automatically added to this VLAN using 802.1X
Dynamic VLAN Assignment.
Dept_Switch-1(config)# vlan 10 by port
Dept_Switch-1(config-vlan-10)# untagged eth 7/24
Dept_Switch-1(config-vlan-10)# spanning-tree
Dept_Switch-1(config-vlan-10)# exit
Dept_Switch-1(config)# write memory
Step 2: Repeat Step 1 for each Port-Based VLAN that needs to be created.
Testing The Dynamic VLAN Feature

In order to successfully test the 802.1X Dynamic VLAN Assignment feature, the following components must be
fully installed and configured according to the procedures outlined in this White Paper:
Authentication Proxy Server such as Interlink Networks Secure.XS server

LDAP Directory such as OpenLDAP
LDAP user accounts must be configured with the RADIUS Tunnel schema to support the necessary Tunnel
attributes
LDAP user accounts must be configured with the correct Tunnel attribute and VLAN ID values
The Authentication Proxy Servers dictionary must be configured to support and forward the RADIUS tunnel
attributes
Foundry 802.1X capable device with version 07.6.03 code or later
802.1X compliant workstation or file server
March 2003
Version 1.0.0

23

WITH LDAP
Step 1: Using a workstation that is configured properly for 802.1X client support, connect to the Foundry
devices 802.1X enabled port.
Step 2. Follow the steps outlined in the section, Testing The Client Connection on page 17 to authenticate the
client. Use one of the LDAP user accounts that were configured with the VLAN object parameters.
Step 3. Once the client is authenticated, check the Foundry device to make sure the clients port is added to
the proper Port-Based VLAN. Use the following CLI commands on the Foundry device to validate the VLAN
assignment:
Syntax: show run
Displays the dynamically assigned ports in each Port-Based VLAN.
Syntax: show interface <port>
Displays detailed port information showing the original Layer 2 VLAN the
port belonged to before the dynamic assignment and the VLAN
membership after the dynamic assignment.
EXAMPLE Show Run Command

This example displays the results of the show run command. An 802.1X client was authenticated using a valid
user account on the OpenLDAP directory server that had their Tunnel-Private-Group-ID set to 5. From the show
run illustration, the 802.1X client is connected to port Ethernet 22. After successful authentication, port Ethernet
22 is dynamically assigned to Port-Based VLAN 5 as an untagged port.
SW-telnet@FI4802-PREM#show run
ver 07.6.03B2T51
!
dot1x-enable
enable ethe 20 to 29
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 10 by port
untagged ethe 1
!
vlan 20 by port
untagged ether 11
!
vlan 5 by port
untagged ethe 21
untagged ethe 22
March 2003
Version 1.0.0

24

WITH LDAP
EXAMPLE Show Interface Command
This example shows the dynamic VLAN information for port Ethernet 22 after the automatic VLAN assignment
was made. Note the original VLAN ID was 1 and the new dot1x-RADIUS assigned VLAN is 5.
SW-telnet@FI4802-PREM#sho int e22
FastEthernet22 is up, line protocol is up
Hardware is FastEthernet, address is 00e0.8041.a315 (bia 00e0.8041.a315)
Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx
Member of L2 VLAN ID 5 (dot1x-RADIUS assigned), original L2 VLAN ID is 1,
port is untagged, port state is FORWARDING
STP configured to ON, priority is level0, flow control enabled
mirror disabled, monitor disabled
Not member of any active trunks
Not member of any configured trunks
No port name
:
:
:
:
:
:
:
:
NOTE: For more information on Foundrys 802.1X Dynamic VLAN Assignment feature and new status messages,
refer to the 07.6.03 Foundry Switch and Router Command Line Interface Reference and Release Notes.
March 2003
Version 1.0.0

25

WITH LDAP
Foundry Networks, Inc.

Headquarters
2100 Gold Street
P.O. Box 649100
San Jose, CA 95164-9100
U.S. and Canada Toll-free: (888) TURBOLAN
Direct telephone: +1 408.586.1700
Fax: 1-408-586-1900
Email: info@foundrynet.com
Web: http://www.foundrynet.com
Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. All other
trademarks are the properties of their respective owners.
2003 Foundry Networks, Inc. All Rights Reserved.
March 2003
Version 1.0.0

26

WP 8021x Authentication Ldap

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

WP 8021x Authentication Ldap

Transféré par

Droits d'auteur :

Formats disponibles

WHITE PAPER: 802.

IRONSHIELD WHITE PAPER

Written By: Philip Kwan

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

SAMPLE OPENLDAP IMPLEMENTATION.......................................................................................................................5

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

NOTE: A note emphasizes an important fact or calls your attention to a dependency.

Layer 2 Switch and Layer 3 Switch CLI commands.

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

RFC 2284 PPP Extensible Authentication Protocol (EAP)

IRONSHIELD WHITE PAPER

The Authenticator is the Foundry device performing the 802.1X Port

The Authentication Server validates the username and password information

Figure 1. Port Authentication Process

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

Sample OpenLDAP Implementation

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

Figure 2. Sample LDAP Installation Topology

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

RADIUS Authentication Proxy

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

Figure 3. Secure.XS Server Manager Screen

Select Load Configuration from the menu,

Figure 4. Loading Local Configuration

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

Select Administration from the menu and

IRONSHIELD WHITE PAPER

Figure 5. Starting Secure.XS Server

Select Access Devices from the menu and

Repeat this step for each Foundry device that will be

Figure 6. Creating An Access Device

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

Select the Local Realm menu option and

Figure 7. Creating New Local Realm

Select the New LDAP Directory drop down

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

IRONSHIELD WHITE PAPER

Select the Local Realm menu option and choose

Step 8: Save the configuration to the localhost.

Select the Save Configuration option from the

The Secure.XS server will transfer the changes to the

Figure 9. Saving The Configuration To The Localhost

2003 Foundry Networks, Inc.

WHITE PAPER: 802.1X PORT AUTHENTICATION

After the Filter-Type entry, add the

IRONSHIELD WHITE PAPER